Muhiimadda falanqaynta qaybaha software-ka saddexaad (Software Compposition Analysis - SCA) ee geeddi-socodka horumarinta ayaa sii kordhaya iyadoo la sii daayo warbixinnada sanadlaha ah ee ku saabsan dayacanka maktabadaha il furan, kuwaas oo ay daabacaan Synopsys, Sonatype, Snyk, iyo White Source. . Sida lagu sheegay warbixinta
Mid ka mid ah kiisaska ugu tusaalaynta badan
Maqaalkani waxa uu ka hadli doonaa arrinta doorashada qalabka lagu qabanayo SCA marka laga eego aragtida tayada natiijooyinka falanqaynta. Isbarbardhigga shaqeynta ee qalabka ayaa sidoo kale la bixin doonaa. Habka ku biirinta CI/CD iyo awoodaha isdhexgalka ayaa loo dayn doonaa daabacaadyada xiga. Qalab kala duwan ayaa waxaa soo bandhigay OWASP
Sida ay u hawlgasho
Aynu eegno sida ay CPE u egtahay:
cpe:2.3:part:vendor:product:version:update:edition:language:sw_edition:target_sw:target_hw:other
- Qeybta: Tilmaanta in qaybtu la xidhiidho codsiga (a), nidaamka hawlgalka (o), hardware (h) (loo baahan yahay)
- Ganacsi: Magaca Soo saaraha Alaabta (loo baahan yahay)
- Product: Magaca Alaabta (loo baahan yahay)
- Version: Nooca qayb ka mid ah (shayga duugoobay)
- update: Cusboonaysiinta xirmada
- Edition: Nooca dhaxalka ah (wax la dhimay)
- Language: Luuqadda lagu qeexay RFC-5646
- Daabacaadda SW: Nooca software
- Bartilmaameedka SW: Deegaanka software ee ay alaabtu ku shaqeyso
- Hadafka HW: Deegaanka qalabka ay alaabtu ku shaqeyso
- Wax kale: Alaab-qeybiyaha ama Macluumaadka Alaabta
Tusaalaha CPE wuxuu u eg yahay sidan:
cpe:2.3:a:pivotal_software:spring_framework:3.0.0:*:*:*:*:*:*:*
Khadka ayaa ka dhigan in nooca CPE 2.3 uu qeexayo qaybta codsiga ee soo saaraha pivotal_software
oo leh magaca spring_framework
nooca 3.0.0. Haddii aan furno nuglaanta
URL-ka waxa kale oo isticmaala agabka SCA. Qaabka URL xirmada waa sida soo socota:
scheme:type/namespace/name@version?qualifiers#subpath
- Qorshaha: Had iyo jeer waxaa jiri doona 'pkg' oo muujinaya in kani yahay URL xirmo (loo baahan yahay)
- Nooca: "Nooca" xirmada ama "protocol-ka" xirmada, sida maven, npm, nuget, gem, pypi, iwm. (Qaybta loo baahan yahay)
- Magaca goobta: Magaca qaar ka mid ah horgalayaasha, sida aqoonsiga kooxda Maven, sawirka Docker, isticmaale GitHub, ama ururka. Ikhtiyaar ah oo ku xidhan nooca.
- Name: Magaca xirmada (loo baahan yahay)
- Version: Nooca xirmada
- U qalmida: Xog dheeraad ah oo u qalmida xirmada, sida OS, architecture, qaybinta, iwm. Ikhtiyaar iyo nooca-gaar ah.
- Jidka hoose: Dariiqa dheeraadka ah ee xirmada marka loo eego xididka xirmada
Tusaale ahaan:
pkg:golang/google.golang.org/genproto#googleapis/api/annotations
pkg:maven/org.apache.commons/[email protected]
pkg:pypi/[email protected]
Tusaale ahaan waxa BOM u ekaan karo qaabka XML:
<?xml version="1.0" encoding="UTF-8"?>
<bom xmlns="http://cyclonedx.org/schema/bom/1.2" serialNumber="urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79" version="1">
<components>
<component type="library">
<publisher>Apache</publisher>
<group>org.apache.tomcat</group>
<name>tomcat-catalina</name>
<version>9.0.14</version>
<hashes>
<hash alg="MD5">3942447fac867ae5cdb3229b658f4d48</hash>
<hash alg="SHA-1">e6b1000b94e835ffd37f4c6dcbdad43f4b48a02a</hash>
<hash alg="SHA-256">f498a8ff2dd007e29c2074f5e4b01a9a01775c3ff3aeaf6906ea503bc5791b7b</hash>
<hash alg="SHA-512">e8f33e424f3f4ed6db76a482fde1a5298970e442c531729119e37991884bdffab4f9426b7ee11fccd074eeda0634d71697d6f88a460dce0ac8d627a29f7d1282</hash>
</hashes>
<licenses>
<license>
<id>Apache-2.0</id>
</license>
</licenses>
<purl>pkg:maven/org.apache.tomcat/[email protected]</purl>
</component>
<!-- More components here -->
</components>
</bom>
BOM looma isticmaali karo oo kaliya sida cabbiraadaha wax gelinta ee Raad-raaca Ku-tiirsanaanta, laakiin sidoo kale waxa loo isticmaali karaa agabka agabka software ee silsiladda sahayda, tusaale ahaan, siinta software macmiilka. Sannadkii 2014, sharci ayaa xitaa laga soo jeediyay Maraykanka
Ku-noqoshada SCA, Ku-tiirsanaanta Track-gu wuxuu leeyahay isku-dhafka diyaarsan oo leh Platforms Ogeysiinta sida Slack, nidaamyada maaraynta nuglaanta sida Kenna Security. Waxa kale oo ay mudan tahay in la sheego in Ku-tiirsanaanta, iyo waxyaabo kale, ay aqoonsato noocyada baakadaha ee duugoobay oo ay bixiso macluumaad ku saabsan shatiyada (sabato ah taageerada SPDX).
Haddii aan si gaar ah uga hadalno tayada SCA, markaa waxaa jira farqi aasaasi ah.
Ku-tiirsanaanta Track-ga ma aqbalayo mashruuca sidii wax-soo-gal, laakiin waa BOM. Tani waxay ka dhigan tahay in haddii aan rabno inaan tijaabino mashruuca, waxaan marka hore u baahanahay inaan abuurno bom.xml, tusaale ahaan anagoo adeegsanayna CycloneDX. Markaa, Raad-ku-tiirsanaanta waxay si toos ah ugu xidhan tahay CycloneDX. Isla mar ahaantaana, waxay u oggolaaneysaa in la beddelo. Tani waa waxa kooxda OZON ay qoreen
Aynu soo koobno qaar ka mid ah sifooyinka shaqaynta, oo aan sidoo kale tixgelinno luqadaha la taageeray ee falanqaynta:
Язык
Nexus IQ
Hubinta ku-tiirsanaanta
Raadraaca Ku-tiirsanaanta
Java
+
+
+
C / C ++
+
+
-
C#
+
+
-
.Net
+
+
+
erlang
-
-
+
JavaScript (NodeJS)
+
+
+
PHP
+
+
+
Python
+
+
+
Ruby
+
+
+
Perl
-
-
-
Scala
+
+
+
Ujeedo C
+
+
-
Swift
+
+
-
R
+
-
-
Go
+
+
+
Shaqeynta
Shaqeynta
Nexus IQ
Hubinta ku-tiirsanaanta
Raadraaca Ku-tiirsanaanta
Awoodda lagu hubinayo in qaybaha loo isticmaalo koodhka isha lagu hubiyay nadiifnimo shati leh
+
-
+
Awooda lagu baadho oo lagu falanqeeyo baylahda iyo shatiga nadiifinta sawirada Docker
+ Is dhexgalka Clair
-
-
Awoodda lagu habeeyo siyaasadaha amniga si loo isticmaalo maktabadaha il furan
+
-
-
Awoodda lagu baadho kaydadka isha furan ee qaybaha nugul
+ RubyGems, Maven, NPM, Nuget, Pypi, Conan, Bower, Conda, Go, p2, R, Yum, Helm, Docker, CocoaPods, Git LFS
-
+ Hex, RubyGems, Maven, NPM, Nuget, Pypi
Helitaanka koox cilmi baaris gaar ah
+
-
-
Hawlgalka wareegga xiran
+
+
+
Isticmaalka xogta xogta dhinac saddexaad
+ Sonatype database oo xiran
+ Sonatype OSS, La-taliyayaasha Dadweynaha NPM
+ Sonatype OSS, La-taliyayaasha Dadweynaha NPM, RetireJS, VulnDB, taageerada xog-ururinta nuglaanta u gaarka ah
Awoodda lagu shaandhaynayo qaybaha isha furan marka la isku dayayo in lagu shubo wareegga horumarinta sida waafaqsan siyaasadaha habaysan
+
-
-
Talooyinka hagaajinta dayacanka, helitaanka xiriirinta hagaajinta
+
+- (waxay kuxirantahay sharraxaadda xogta macluumaadka dadweynaha)
+- (waxay kuxirantahay sharraxaadda xogta macluumaadka dadweynaha)
Qiimaynta dayacanka la ogaaday marka loo eego darnaanta
+
+
+
Qaabka gelitaanka doorka ku salaysan
+
-
+
Taageerada CLI
+
+
+- (kaliya ee CycloneDX)
Muunad/kala-soocida dayacanka sida waafaqsan shuruudaha la qeexay
+
-
+
Dashboardka heerka codsiga
+
-
+
Abuurista warbixinnada qaab PDF ah
+
-
-
Abuurista warbixinnada qaabka JSONCSV
+
+
-
Taageerada luqadda Ruushka
-
-
-
Awoodaha isdhexgalka
Is-dhexgalka
Nexus IQ
Hubinta ku-tiirsanaanta
Raadraaca Ku-tiirsanaanta
LDAP/Is dhexgalka Hagaha Firfircoon
+
-
+
Is dhexgalka nidaamka isdhexgalka joogtada ah Bamboo
+
-
-
Is dhexgalka nidaamka isdhexgalka joogtada ah TeamCity
+
-
-
Is dhexgalka nidaamka isdhexgalka joogtada ah ee GitLab
+
+- (sida plugin loogu talagalay GitLab)
+
Is dhexgalka nidaamka isdhexgalka joogtada ah Jenkins
+
+
+
Helitaanka plugins ee IDE
+ IntelliJ, Eclipse, Istuudiye Muuqaal
-
-
Taageerada is dhexgalka gaarka ah iyada oo loo marayo adeegyada shabakada (API) ee qalabka
+
-
+
Hubinta ku-tiirsanaanta
Bilawga koowaad
Aynu ku wadno Hubinta Ku-tiirsanaanta codsi si ula kac ah u nugul
Tan waxaan u isticmaali doonaa
mvn org.owasp:dependency-check-maven:check
Natiijo ahaan, ku tiirsanaanta-check-report.html waxay ka soo muuqan doontaa tusaha bartilmaameedka.
Aan furno faylka. Ka dib marka la soo koobo macluumaadka ku saabsan tirada guud ee dayacanka, waxaan arki karnaa macluumaadka ku saabsan dayacanka oo leh heer sare oo Darnaan iyo Kalsooni, oo tilmaamaya xirmada, CPE, iyo tirada CVEs.
Marka xigta waxay timaaddaa macluumaad faahfaahsan oo dheeraad ah, gaar ahaan saldhigga go'aanka lagu sameeyay (caddayn), taas oo ah, BOM gaar ah.
Marka xigta waxaa yimaada CPE, PURL iyo sharaxaadda CVE. Jid ahaan, talooyinka sixitaanka laguma darin maqnaanshahooda kaydka xogta NVD awgeed.
Si aad si nidaamsan u aragto natiijooyinka iskaanka, waxaad ku habeyn kartaa Nginx oo leh goobo yar, ama waxaad u diri kartaa cilladaha ka dhasha nidaamka maaraynta cilladda ee taageerta isku-xirayaasha Hubinta Ku-tiirsanaanta. Tusaale ahaan, cillad Dojo.
Raadraaca Ku-tiirsanaanta
Ku rakibida
Ku-tiirsanaanta, markeeda, waa madal shabakad ku saleysan oo leh garaafyo muuqaal ah, sidaa darteed arrinta adag ee lagu keydinayo cilladaha xalka qolo saddexaad halkan kama soo baxdo.
Qoraallada la taageeray ee rakibaadda waa: Docker, WAR, WAR la fulin karo.
Bilawga koowaad
Waxaan tagnaa URL-ka adeegga socda. Waxaan ku soo galeynaa admin/admin, bedelnaa galitaanka iyo erayga sirta ah, ka dibna waxaan galeynaa Dashboard-ka. Waxa xiga ee aan sameyn doono waa in aan abuurno mashruuc codsi tijaabo ah Java gudaha Guriga/Mashruucyada → Abuur Mashruuc . Aan tusaale u soo qaadano DVJA.
Mar haddii Raad-raaca Ku-tiirsanaanta uu kaliya aqbali karo BOM gelinta ahaan, BOM-kan waa in dib loo soo ceshado. Aynu ka faa'iidaysano
mvn org.cyclonedx:cyclonedx-maven-plugin:makeAggregateBom
Waxaan helnaa bom.xml oo ku shubnaa faylka mashruuca la abuuray DVJA → Ku-tiirsanaanta → Soo rar BOM.
Aan u tagno Maamulka → Falanqeeyayaasha. Waxaan fahamsanahay in aan awoodnay oo keliya Analyzer Internal, oo ay ku jirto NVD. Aynu sidoo kale isku xidhno Sonatype OSS Index.
Sidaa darteed, waxaan helnaa sawirka soo socda mashruucayaga:
Sidoo kale liiska waxaad ka heli kartaa hal nuglaanta lagu dabaqi karo Sonatype OSS:
Niyad-xumada ugu weyni waxay ahayd in Raad-raaca Ku-tiirsanaanta uusan aqbalin warbixinnada Hubinta Ku-tiirsanaanta xml. Noocyadii ugu dambeeyay ee la taageeray ee isdhexgalka Hubinta Ku-tiirsanaanta waxay ahaayeen 1.0.0 - 4.0.2, halka aan tijaabiyay 5.3.2.
halkan
Nexus IQ
Bilawga koowaad
Rakibaadda Nexus IQ waxay ka timid kaydadka
Kadib markaad gasho console-ka, waxaad u baahan tahay inaad abuurto Urur iyo Codsi.
Sida aad arki karto, dejinta kiiska IQ waa xoogaa dhib badan, sababtoo ah waxaan sidoo kale u baahanahay inaan abuurno siyaasado lagu dabaqi karo "marxalado" kala duwan (dev, build, stage, release). Tani waxay lagama maarmaan u tahay in la xannibo qaybaha nugul marka ay u socdaan dhuumaha u dhow wax soo saarka, ama in la xannibo isla marka ay galaan Nexus Repo marka ay soo dejiyaan horumariyayaashu.
Si aad u dareento faraqa u dhexeeya isha furan iyo ganacsiga, aynu ku samayno isla sawirka Nexus IQ si la mid ah dvja-test-and-compare
:
mvn com.sonatype.clm:clm-maven-plugin:evaluate -Dclm.applicationId=dvja-test-and-compare -Dclm.serverUrl=<NEXUSIQIP> -Dclm.username=<USERNAME> -Dclm.password=<PASSWORD>
Raac URL-ka warbixinta la soo saaray ee ku jirta interface webka IQ:
Halkan waxa aad ku arki kartaa dhammaan xadgudubyada siyaasadda ee tilmaamaya heerar kala duwan oo muhiim ah (laga bilaabo Macluumaadka ilaa Amniga Halis ah). Xarafka D ee ku xiga qaybta waxa uu ka dhigan yahay in qaybtu ay tahay mid toos ah, xarafka T ee ku xiga qaybta waxa uu ka dhigan yahay in qaybtu tahay Transitive Dependency, yacni waa transitive.
By habka, warbixinta
Haddii aan furno mid ka mid ah xadgudubyada siyaasadda Nexus IQ, waxaan arki karnaa sharraxaadda qaybta, iyo sidoo kale Version Graph, kaas oo muujinaya meesha nooca hadda jira ee garaafka wakhtiga, iyo sidoo kale marka ay meesha ka baxdo baylahdu noqo mid nugul. Dhererka shumacyada garaafka ayaa muujinaya caannimada isticmaalka qaybtan.
Haddii aad tagto qaybta dayacanka oo aad balaadhiso CVE, waxaad akhrin kartaa sharraxaadda nuglaanta, talooyinka tirtiridda, iyo sidoo kale sababta qaybtan loo jabiyay, taas oo ah, joogitaanka fasalka. DiskFileitem.class
.
Aynu soo koobno oo kaliya kuwa la xidhiidha qaybaha Java ee dhinac saddexaad, ka saara qaybaha js. Geesyada waxaan ku muujineynaa tirada dayacan ee laga helay meel ka baxsan NVD.
Wadarta Nexus IQ:
- Ku-tiirsanaanta la baaray: 62
- Ku tiirsanaanta nugul: 16
- Nuglaanta la helay: 42 (8 sonatype db)
Guud ahaan hubinta ku-tiirsanaanta:
- Ku-tiirsanaanta la baaray: 47
- Ku tiirsanaanta nugul: 13
- Nuglaanta la helay: 91 (14 sonatype oss)
Wadarta Ku-tiirsanaanta Raadraaca:
- Ku-tiirsanaanta la baaray: 59
- Ku tiirsanaanta nugul: 10
- Nuglaanta la helay: 51 (1 sonatype oss)
Tallaabooyinka soo socda, waxaan ku falanqeyn doonaa natiijooyinka la helay, waxaanan ogaan doonaa mid ka mid ah dayacanka kuwan cilladda dhabta ah iyo midka beenta ah.
Afeef
Dib u eegistani maaha run aan la murmi karin. Qoraagu ma lahayn yool uu ku muujiyo qalab gaar ah oo liddi ku ah asalka dadka kale. Ujeedada dib u eegista ayaa ahayd in la muujiyo hababka loo shaqeeyo ee qalabka SCA iyo siyaabaha lagu hubinayo natiijooyinkooda.
Isbarbardhigga natiijooyinka
Uleksiya:
Wanaagga beenta ah ee dayacanka qaybta saddexaad waa:
- CVE oo aan ku habboonayn qaybta la aqoonsaday
- Tusaale ahaan, haddii baylahda lagu aqoonsaday qaabka struts2, oo qalabku tilmaamayo qayb ka mid ah qaab-dhismeedka struts-tiles, kaas oo nuglaantani aanay khusayn, markaa tani waa been abuur.
- CVE oo aan u dhigmin nooca la aqoonsaday ee qaybta
- Tusaale ahaan, nuglaanta waxay ku xidhan tahay nooca Python> 3.5 oo qalabku wuxuu calaamadeeyaa nooca 2.7 inuu yahay mid nugul - tani waa been abuur, maadaama runtii nuglaanta ay khuseyso laanta badeecada 3.x
- Nuqulka CVE
- Tusaale ahaan, haddii SCA ay qeexdo CVE oo awood u siinaya RCE, markaas SCA waxay u cayimaysaa CVE isla qaybtaas khusaysa badeecadaha Cisco ee ay saamaysay RCE-da. Xaaladdan oo kale waxay noqon doontaa mid been abuur ah.
- Tusaale ahaan, CVE ayaa laga helay qayb-web-web ah, ka dib SCA waxay tilmaamaysaa isla CVE qaybaha kale ee Qaab-dhismeedka Gu'ga, halka CVE aysan wax shaqo ah ku lahayn qaybaha kale. Xaaladdan oo kale waxay noqon doontaa mid been abuur ah.
Ujeeddada daraasaddu waxay ahayd mashruuca Isha Furan ee DVJA. Daraasadu waxay ku lug lahayd oo kaliya qaybaha Java (la'aanteed js).
Natiijooyinka kooban
Aynu si toos ah ugu socono natiijada dib-u-eegista gacanta ee dayacanka la aqoonsaday. Warbixinta dhamaystiran ee CVE kasta waxa laga heli karaa Lifaaqa.
Natiijooyinka kooban ee dhammaan baylahda:
Xildhibaan
Nexus IQ
Hubinta ku-tiirsanaanta
Raadraaca Ku-tiirsanaanta
Guud ahaan baylahda la aqoonsaday
42
91
51
Nuglaanta si khaldan loo aqoonsaday
2 (4.76%)
62 (68,13%)
29 (56.86%)
Wax nuglaanta la xidhiidha lama helin (beenta xun)
10
20
27
Natiijooyinka soo koobaya qayb ahaan:
Xildhibaan
Nexus IQ
Hubinta ku-tiirsanaanta
Raadraaca Ku-tiirsanaanta
Wadarta qaybaha la aqoonsaday
62
47
59
Wadarta qaybaha nugul
16
13
10
Qaybaha nugul ee si khaldan loo aqoonsaday
1
5
0
Qaybaha nugul ee si khaldan loo aqoonsaday
0
6
6
Aan dhisno garaafyo muuqaal ah si aan u qiimeyno saamiga beenta togan iyo been abuurka ee tirada guud ee dayacan. Qaybaha waxaa loo calaamadeeyay si toosan, iyo dayacanka lagu aqoonsaday iyaga si toos ah ayaa loo calaamadeeyay.
Marka la barbardhigo, daraasad la mid ah ayaa waxaa sameeyay kooxda Sonatype oo tijaabiyay mashruuc ka kooban 1531 qaybood iyadoo la adeegsanayo Hubinta Ku-tiirsanaanta OWASP. Sida aan arki karno, saamiga qaylada iyo jawaabaha saxda ah waxay la mid tahay natiijooyinkayaga.
Source:
Aynu eegno qaar ka mid ah CVE-yada natiijooyinka iskaanka si aan u fahanno sababta natiijooyinkan.
Read more
No.1
Aan marka hore eegno qodobo xiiso leh oo ku saabsan Sonatype Nexus IQ.
Nexus IQ waxa uu tilmaamayaa arrin la xiriirta kala-saarista awoodda lagu sameeyo RCE qaab-dhismeedka gu'ga dhowr jeer. CVE-2016-1000027 ee guga-web:3.0.5 markii ugu horeysay, iyo CVE-2011-2894 ee gu'-context:3.0.5 iyo guga-core:3.0.5. Marka hore, waxa ay u muuqataa in ay jirto nuglaanta isku duubnida CVEs badan. Sababtoo ah, haddii aad eegto CVE-2016-1000027 iyo CVE-2011-2894 ee xogta NVD, waxay u muuqataa in wax walba ay cad yihiin.
Qeybta
Nuglaanta
guga-web:3.0.5
CVE-2016-1000027
guga-context:3.0.5
CVE-2011-2894
guga-xuddun:3.0.5
CVE-2011-2894
Description
Description
CVE-2011-2894 lafteedu waa caan. Warbixinta RemoteInvocationSerializingExporter
CVE-2011-2894, nuglaanta ayaa lagu arkay HttpInvokerServiceExporter
. Tani waa waxa Nexus IQ noo sheegay:
Si kastaba ha ahaatee, ma jiraan wax la mid ah NVD, waana sababta Hubinta Ku-tiirsanaanta iyo Raad-raaca Ku-tiirsanaanta mid walba uu helo diidmo been ah.
Sidoo kale sharaxaada CVE-2011-2894 waxa laga fahmi karaa in baylahdu ay dhab ahaantii ku jirto labadaba gu'ga-context:3.0.5 iyo spring-core:3.0.5. Xaqiijinta tan waxaa laga heli karaa maqaal ka yimid qofka helay baylahdan.
No.2
Qeybta
Nuglaanta
natiijada
struts2-core: 2.3.30
CVE-2016-4003
BEEN
Haddii aan baranno nuglaanta CVE-2016-4003, waxaan fahmi doonaa in lagu hagaajiyay nooca 2.3.28, si kastaba ha ahaatee, Nexus IQ ayaa nooga warbixisay. Waxaa jira qoraal ku jira sharraxaadda dayacanka:
Taasi waa, baylahdu waxay jirtaa oo kaliya iyadoo lala xiriirinayo nooca duugoobay ee JRE, kaas oo ay go'aansadeen inay nooga digaan. Si kastaba ha ahaatee, waxaan u aragnaa tan beenta ah mid wanaagsan, in kasta oo aysan ahayn tan ugu xun.
Maya. 3
Qeybta
Nuglaanta
natiijada
xwork-core: 2.3.30
CVE-2017-9804
RUN
xwork-core: 2.3.30
CVE-2017-7672
BEEN
Haddii aan eegno sharraxaadaha CVE-2017-9804 iyo CVE-2017-7672, waxaan fahmi doonaa in dhibaatadu tahay URLValidator class
, oo leh CVE-2017-9804 ka soo jeeda CVE-2017-7672. Joogitaanka nuglaanta labaad ma qaado wax kasta oo waxtar leh marka laga reebo xaqiiqda ah in darnaanta ay kor u kacday ilaa Sare, sidaas darteed waxaan u qaadan karnaa qaylo aan loo baahnayn.
Guud ahaan, wax wanaag ah oo kale oo been ah looma helin Nexus IQ.
No.4
Waxaa jira dhowr waxyaalood oo IQ ka dhigaya inay ka soocaan xalalka kale.
Qeybta
Nuglaanta
natiijada
guga-web:3.0.5
CVE-2020-5398
RUN
CVE ee NVD waxay sheegaysaa in ay khusayso oo kaliya noocyada 5.2.x ka hor 5.2.3, 5.1.x ka hor 5.1.13, iyo versions 5.0.x ka hor 5.0.16, si kastaba ha ahaatee, haddii aan eegno sharaxaadda CVE ee Nexus IQ , ka dib waxaan arki doonaa kuwan soo socda:
Ogeysiiska leexashada talobixinta: Kooxda cilmi-baarista amniga ee Sonatype waxay ogaadeen in nuglaanta lagu soo bandhigay nooca 3.0.2.SIIDAYN oo aan ahayn 5.0.x sida lagu sheegay talada.
Tan waxa ku xiga PoC u nuglaanshahan, kaas oo sheegaya in ay ku jirto nooca 3.0.5.
Neefta beenta ah ayaa loo diraa Hubinta Ku-tiirsanaanta iyo Raadraaca Ku-tiirsanaanta.
No.5
Aynu eegno beenta beenta ah ee Hubinta Ku-tiirsanaanta iyo Raadraaca Ku-tiirsanaanta.
Hubinta Ku-tiirsanaanta waxay u taagan tahay inay ka tarjumayso CVE-yada khuseeya dhammaan qaab-dhismeedka NVD ee qaybaha aanay CVE-yadani khusayn. Tani waxay khusaysaa CVE-2012-0394, CVE-2013-2115, CVE-2014-0114, CVE-2015-0899, CVE-2015-2992, CVE-2016-1181, CVE-2016-1182, kaas oo hubinaya ku tiirsanaanta ” si struts-taglib:1.3.8 iyo struts-tiles-1.3.8. Qaybahani wax shaqo ah kuma laha waxa lagu qeexay CVE - codsiga codsiga, ansixinta bogga, iyo wixii la mid ah. Tani waxay sabab u tahay xaqiiqda ah in waxa CVE-yadan iyo qaybahan ay wadaagaan ay tahay kaliya qaabka, taas oo ah sababta Ku-tiirsanaanta Hubinta ay u tixgelisay baylahda.
Xaalad la mid ah waa guga-tx: 3.0.5, iyo xaalad la mid ah oo leh struts-core: 1.3.8. Xagga laf-dhabarka, Hubinta Ku-tiirsanaanta iyo Raad-raaca Ku-tiirsanaanta waxay heleen baylahooyin badan oo dhab ahaantii lagu dabaqi karo struts2-core, kaas oo asal ahaan ah qaab-dhismeed gaar ah. Xaaladdan oo kale, Nexus IQ waxay si sax ah u fahamtay sawirka iyo CVE-yada ay soo saartay, waxay muujisay in struts-core uu gaadhay dhammaadka nolosha oo ay lagama maarmaan tahay in loo guuro struts2-core.
No.6
Xaaladaha qaarkood, waa cadaalad darro in la fasiro qaladka Ku-tiirsanaanta iyo Hubinta Ku-tiirsanaanta muuqata. Gaar ahaan CVE-2013-4152, CVE-2013-6429, CVE-2013-6430, CVE-2013-7315, CVE-2014-0054, CVE-2014-0225, CVE-2014-0225, kaas oo ku tiirsanaanta Hubinta. loo nisbeeyo guga-core:3.0.5 dhab ahaantii waxa iska leh guga-web:3.0.5. Isla mar ahaantaana, qaar ka mid ah CVE-yadan waxaa sidoo kale helay Nexus IQ, si kastaba ha ahaatee, IQ ayaa si sax ah u aqoonsaday qayb kale. Sababtoo ah dayacanka kuwan lagama helin guga-core, laguma doodi karo in aysan ku jirin qaab-dhismeedka mabda'a iyo qalabka furan ee furan ayaa si sax ah u tilmaamay jilicsanaantan (wax yar ayay seegeen).
natiijooyinka
Sida aan arki karno, go'aaminta isku halaynta baylahda la aqoonsaday ee dib-u-eegista buuggu ma bixinayso natiijooyin aan caddayn, waana sababta arrimaha muranka dhaliyay ay u soo baxaan. Natiijadu waxay tahay in xalka Nexus IQ uu leeyahay heerka ugu hooseeya ee beenta ah iyo saxsanaanta ugu sareysa.
Ugu horreyntii, tani waxay sabab u tahay xaqiiqda ah in kooxda Sonatype ay ballaariyeen sharraxaadda nuglaanta CVE kasta ee NVD ee kaydkeeda, taas oo muujinaysa dayacanka qayb gaar ah oo ka mid ah qaybaha ilaa fasalka ama shaqada, samaynta cilmi baaris dheeraad ah (tusaale ahaan. , hubinta dayacanka noocyadii hore ee software).
Saamaynta muhiimka ah ee natiijooyinka waxaa sidoo kale ciyaaraya dayacanka aan lagu darin NVD, laakiin si kastaba ha ahaatee ku jira xogta Sonatype oo leh calaamada SONATYPE. Sida lagu sheegay warbixinta
Natiijo ahaan, Hubinta Ku-tiirsanaanta waxay soo saartaa buuq badan, oo ay ka maqan tahay qaybo nugul. Ku-tiirsanaanta Track-gu waxay soo saartaa qaylo yar waxayna ogaataa tiro badan oo ka mid ah qaybaha, kuwaas oo aan muuqaal ahaan waxyeello u geysanayn indhaha isku xirka shabakadda.
Si kastaba ha ahaatee, dhaqanku wuxuu muujinayaa in isha furan ay tahay inay noqoto tillaabooyinka ugu horreeya ee loo maro DevSecOps. Waxa ugu horreeya ee ay tahay in aad ka fikirto marka SCA la dhexgelinayo horumarka waa geeddi-socod, kuwaas oo ah, in aad si wadajir ah uga fikirto maamulka iyo waaxaha la xidhiidha habka ugu habboon ee ay tahay in ay u ekaato ururkaaga. Waxaa laga yaabaa inay soo baxdo in ururkaaga, marka hore, Hubinta Ku-tiirsanaanta ama Raad-raaca Ku-tiirsanaanta ay dabooli doonaan dhammaan baahiyaha ganacsiga, iyo xalalka ganacsigu waxay noqon doonaan sii socosho macquul ah sababtoo ah kakanaanta sii kordhaysa ee codsiyada la sameeyay.
Lifaaqa A: Natiijooyinka Qaybaha
Halyeeyo:
- Nuglaanta sare-sare iyo heerka halista ah ee qaybta
- Dhexdhexaad - Nuglaanta heerka halista dhexdhexaadka ah ee qaybta
- RUN - Arrin wanaagsan oo run ah
- BEEN-Arin been ah
Qeybta
Nexus IQ
Hubinta ku-tiirsanaanta
Raadraaca Ku-tiirsanaanta
natiijada
dom4j: 1.6.1
Sare
Sare
Sare
RUN
log4j-core: 2.3
Sare
Sare
Sare
RUN
log4j: 1.2.14
Sare
Sare
-
RUN
ururinta guud:3.1
Sare
Sare
Sare
RUN
soo dejinta guud-faylka:1.3.2
Sare
Sare
Sare
RUN
kuwa caadiga ah-quruxda:1.7.0
Sare
Sare
Sare
RUN
Commons-codec:1:10
Dhexdhexaad
-
-
RUN
mysql-xidhiidhiyaha-java:5.1.42
Sare
Sare
Sare
RUN
guga-muujinta:3.0.5
Sare
qayb lama helin
RUN
guga-web:3.0.5
Sare
qayb lama helin
Sare
RUN
guga-context:3.0.5
Dhexdhexaad
qayb lama helin
-
RUN
guga-xuddun:3.0.5
Dhexdhexaad
Sare
Sare
RUN
struts2-config-browser-plugin:2.3.30
Dhexdhexaad
-
-
RUN
guga-tx:3.0.5
-
Sare
-
BEEN
struts-core: 1.3.8
Sare
Sare
Sare
RUN
xwork-core: 2.3.30
Sare
-
-
RUN
struts2-core: 2.3.30
Sare
Sare
Sare
RUN
struts-taglib:1.3.8
-
Sare
-
BEEN
struts-tiles-1.3.8
-
Sare
-
BEEN
Lifaaqa B: Natiijooyinka Nuglaanta
Halyeeyo:
- Nuglaanta sare-sare iyo heerka halista ah ee qaybta
- Dhexdhexaad - Nuglaanta heerka halista dhexdhexaadka ah ee qaybta
- RUN - Arrin wanaagsan oo run ah
- BEEN-Arin been ah
Qeybta
Nexus IQ
Hubinta ku-tiirsanaanta
Raadraaca Ku-tiirsanaanta
Xasillooni
natiijada
comment
dom4j: 1.6.1
CVE-2018-1000632
CVE-2018-1000632
CVE-2018-1000632
Sare
RUN
CVE-2020-10683
CVE-2020-10683
CVE-2020-10683
Sare
RUN
log4j-core: 2.3
CVE-2017-5645
CVE-2017-5645
CVE-2017-5645
Sare
RUN
CVE-2020-9488
CVE-2020-9488
CVE-2020-9488
Low
RUN
log4j: 1.2.14
CVE-2019-17571
CVE-2019-17571
-
Sare
RUN
-
CVE-2020-9488
-
Low
RUN
SONATYPE-2010-0053
-
-
Sare
RUN
ururinta guud:3.1
-
CVE-2015-6420
CVE-2015-6420
Sare
BEEN
Nuqullada RCE(OSSINDEX)
-
CVE-2017-15708
CVE-2017-15708
Sare
BEEN
Nuqullada RCE(OSSINDEX)
SONATYPE-2015-0002
RCE (OSSINDEX)
RCE(OSSINDEX)
Sare
RUN
soo dejinta guud-faylka:1.3.2
CVE-2016-1000031
CVE-2016-1000031
CVE-2016-1000031
Sare
RUN
SONATYPE-2014-0173
-
-
Dhexdhexaad
RUN
kuwa caadiga ah-quruxda:1.7.0
CVE-2014-0114
CVE-2014-0114
CVE-2014-0114
Sare
RUN
-
CVE-2019-10086
CVE-2019-10086
Sare
BEEN
Nuglaanta waxay khusaysaa kaliya noocyada 1.9.2+
Commons-codec:1:10
SONATYPE-2012-0050
-
-
Dhexdhexaad
RUN
mysql-xidhiidhiyaha-java:5.1.42
CVE-2018-3258
CVE-2018-3258
CVE-2018-3258
Sare
RUN
CVE-2019-2692
CVE-2019-2692
-
Dhexdhexaad
RUN
-
CVE-2020-2875
-
Dhexdhexaad
BEEN
Nuglaanta la mid ah CVE-2019-2692, laakiin qoraalka "weeraradu waxay si weyn u saameyn karaan alaabooyin dheeraad ah"
-
CVE-2017-15945
-
Sare
BEEN
Aan khusayn mysql-connector-java
-
CVE-2020-2933
-
Low
BEEN
Nuqul ka mid ah CVE-2020-2934
CVE-2020-2934
CVE-2020-2934
-
Dhexdhexaad
RUN
guga-muujinta:3.0.5
CVE-2018-1270
qayb lama helin
-
Sare
RUN
CVE-2018-1257
-
-
Dhexdhexaad
RUN
guga-web:3.0.5
CVE-2016-1000027
qayb lama helin
-
Sare
RUN
CVE-2014-0225
-
CVE-2014-0225
Sare
RUN
CVE-2011-2730
-
-
Sare
RUN
-
-
CVE-2013-4152
Dhexdhexaad
RUN
CVE-2018-1272
-
-
Sare
RUN
CVE-2020-5398
-
-
Sare
RUN
Tusaalaha tusaalaha ah ee u roon IQ: "Kooxda cilmi-baarista amniga ee Sonatype waxay ogaadeen in nuglaanta lagu soo bandhigay nooca 3.0.2.SIIDAYN oo aan ahayn 5.0.x sida lagu sheegay talada."
CVE-2013-6429
-
-
Dhexdhexaad
RUN
CVE-2014-0054
-
CVE-2014-0054
Dhexdhexaad
RUN
CVE-2013-6430
-
-
Dhexdhexaad
RUN
guga-context:3.0.5
CVE-2011-2894
qayb lama helin
-
Dhexdhexaad
RUN
guga-xuddun:3.0.5
-
CVE-2011-2730
CVE-2011-2730
Sare
RUN
CVE-2011-2894
CVE-2011-2894
CVE-2011-2894
Dhexdhexaad
RUN
-
-
CVE-2013-4152
Dhexdhexaad
BEEN
Nuglaanta isku midka ah ee guga-web-ka
-
CVE-2013-4152
-
Dhexdhexaad
BEEN
Nuglaanta waxay la xiriirtaa qaybta gu'ga-mareegta
-
CVE-2013-6429
CVE-2013-6429
Dhexdhexaad
BEEN
Nuglaanta waxay la xiriirtaa qaybta gu'ga-mareegta
-
CVE-2013-6430
-
Dhexdhexaad
BEEN
Nuglaanta waxay la xiriirtaa qaybta gu'ga-mareegta
-
CVE-2013-7315
CVE-2013-7315
Dhexdhexaad
BEEN
SPLIT ka CVE-2013-4152. + Nuglaanta waxay la xidhiidhaa qaybta guga-webeedka
-
CVE-2014-0054
CVE-2014-0054
Dhexdhexaad
BEEN
Nuglaanta waxay la xiriirtaa qaybta gu'ga-mareegta
-
CVE-2014-0225
-
Sare
BEEN
Nuglaanta waxay la xiriirtaa qaybta gu'ga-mareegta
-
-
CVE-2014-0225
Sare
BEEN
Nuglaanta isku midka ah ee guga-web-ka
-
CVE-2014-1904
CVE-2014-1904
Dhexdhexaad
BEEN
Nuglaanta waxay la xiriirtaa qaybta guga-web-mvc
-
CVE-2014-3625
CVE-2014-3625
Dhexdhexaad
BEEN
Nuglaanta waxay la xiriirtaa qaybta guga-web-mvc
-
CVE-2016-9878
CVE-2016-9878
Sare
BEEN
Nuglaanta waxay la xiriirtaa qaybta guga-web-mvc
-
CVE-2018-1270
CVE-2018-1270
Sare
BEEN
Farriimaha gu'ga-muujinta/gu'ga
-
CVE-2018-1271
CVE-2018-1271
Dhexdhexaad
BEEN
Nuglaanta waxay la xiriirtaa qaybta guga-web-mvc
-
CVE-2018-1272
CVE-2018-1272
Sare
RUN
CVE-2014-3578
CVE-2014-3578 (OSSINDEX)
CVE-2014-3578
Dhexdhexaad
RUN
SONATYPE-2015-0327
-
-
Low
RUN
struts2-config-browser-plugin:2.3.30
SONATYPE-2016-0104
-
-
Dhexdhexaad
RUN
guga-tx:3.0.5
-
CVE-2011-2730
-
Sare
BEEN
Nuglaanta maaha mid gaar u ah guga-tx
-
CVE-2011-2894
-
Sare
BEEN
Nuglaanta maaha mid gaar u ah guga-tx
-
CVE-2013-4152
-
Dhexdhexaad
BEEN
Nuglaanta maaha mid gaar u ah guga-tx
-
CVE-2013-6429
-
Dhexdhexaad
BEEN
Nuglaanta maaha mid gaar u ah guga-tx
-
CVE-2013-6430
-
Dhexdhexaad
BEEN
Nuglaanta maaha mid gaar u ah guga-tx
-
CVE-2013-7315
-
Dhexdhexaad
BEEN
Nuglaanta maaha mid gaar u ah guga-tx
-
CVE-2014-0054
-
Dhexdhexaad
BEEN
Nuglaanta maaha mid gaar u ah guga-tx
-
CVE-2014-0225
-
Sare
BEEN
Nuglaanta maaha mid gaar u ah guga-tx
-
CVE-2014-1904
-
Dhexdhexaad
BEEN
Nuglaanta maaha mid gaar u ah guga-tx
-
CVE-2014-3625
-
Dhexdhexaad
BEEN
Nuglaanta maaha mid gaar u ah guga-tx
-
CVE-2016-9878
-
Sare
BEEN
Nuglaanta maaha mid gaar u ah guga-tx
-
CVE-2018-1270
-
Sare
BEEN
Nuglaanta maaha mid gaar u ah guga-tx
-
CVE-2018-1271
-
Dhexdhexaad
BEEN
Nuglaanta maaha mid gaar u ah guga-tx
-
CVE-2018-1272
-
Dhexdhexaad
BEEN
Nuglaanta maaha mid gaar u ah guga-tx
struts-core: 1.3.8
-
CVE-2011-5057 (OSSINDEX)
Dhexdhexaad
FASLE
U nuglaanshaha Struts 2
-
CVE-2012-0391 (OSSINDEX)
CVE-2012-0391
Sare
BEEN
U nuglaanshaha Struts 2
-
CVE-2014-0094 (OSSINDEX)
CVE-2014-0094
Dhexdhexaad
BEEN
U nuglaanshaha Struts 2
-
CVE-2014-0113 (OSSINDEX)
CVE-2014-0113
Sare
BEEN
U nuglaanshaha Struts 2
CVE-2016-1182
3VE-2016-1182
-
Sare
RUN
-
-
CVE-2011-5057
Dhexdhexaad
BEEN
U nuglaanshaha Struts 2
-
CVE-2012-0392 (OSSINDEX)
CVE-2012-0392
Sare
BEEN
U nuglaanshaha Struts 2
-
CVE-2012-0393 (OSSINDEX)
CVE-2012-0393
Dhexdhexaad
BEEN
U nuglaanshaha Struts 2
CVE-2015-0899
CVE-2015-0899
-
Sare
RUN
-
CVE-2012-0394
CVE-2012-0394
Dhexdhexaad
BEEN
U nuglaanshaha Struts 2
-
CVE-2012-0838 (OSSINDEX)
CVE-2012-0838
Sare
BEEN
U nuglaanshaha Struts 2
-
CVE-2013-1965 (OSSINDEX)
CVE-2013-1965
Sare
BEEN
U nuglaanshaha Struts 2
-
CVE-2013-1966 (OSSINDEX)
CVE-2013-1966
Sare
FASLE
U nuglaanshaha Struts 2
-
CVE-2013-2115
CVE-2013-2115
Sare
FASLE
U nuglaanshaha Struts 2
-
CVE-2013-2134 (OSSINDEX)
CVE-2013-2134
Sare
FASLE
U nuglaanshaha Struts 2
-
CVE-2013-2135 (OSSINDEX)
CVE-2013-2135
Sare
FASLE
U nuglaanshaha Struts 2
CVE-2014-0114
CVE-2014-0114
-
Sare
RUN
-
CVE-2015-2992
CVE-2015-2992
Dhexdhexaad
BEEN
U nuglaanshaha Struts 2
-
CVE-2016-0785 (OSSINDEX)
CVE-2016-0785
Sare
BEEN
U nuglaanshaha Struts 2
CVE-2016-1181
CVE-2016-1181
-
Sare
RUN
-
CVE-2016-4003 (OSSINDEX)
CVE-2016-4003
Sare
BEEN
U nuglaanshaha Struts 2
xwork-core: 2.3.30
CVE-2017-9804
-
-
Sare
RUN
SONATYPE-2017-0173
-
-
Sare
RUN
CVE-2017-7672
-
-
Sare
BEEN
Nuqul ka mid ah CVE-2017-9804
SONATYPE-2016-0127
-
-
Sare
RUN
struts2-core: 2.3.30
-
CVE-2016-6795
CVE-2016-6795
Sare
RUN
-
CVE-2017-9787
CVE-2017-9787
Sare
RUN
-
CVE-2017-9791
CVE-2017-9791
Sare
RUN
-
CVE-2017-9793
-
Sare
BEEN
Nuqul ka mid ah CVE-2018-1327
-
CVE-2017-9804
-
Sare
RUN
-
CVE-2017-9805
CVE-2017-9805
Sare
RUN
CVE-2016-4003
-
-
Dhexdhexaad
BEEN
Lagu dabaqi karo Apache Struts 2.x ilaa 2.3.28, kaas oo ah nooca 2.3.30. Si kastaba ha ahaatee, iyadoo lagu saleynayo sharraxaadda, CVE-gu wuxuu ansax u yahay nooc kasta oo Struts 2 ah haddii JRE 1.7 ama ka yar la isticmaalo. Sida muuqata waxay go'aansadeen inay halkan nagu soo celiyaan, laakiin waxay u egtahay BEEN
-
CVE-2018-1327
CVE-2018-1327
Sare
RUN
CVE-2017-5638
CVE-2017-5638
CVE-2017-5638
Sare
RUN
Nuglaanta la mid ah kii Equifax hackers ay ka faa'iideysteen 2017
CVE-2017-12611
CVE-2017-12611
-
Sare
RUN
CVE-2018-11776
CVE-2018-11776
CVE-2018-11776
Sare
RUN
struts-taglib:1.3.8
-
CVE-2012-0394
-
Dhexdhexaad
BEEN
Loogu talagalay struts2-core
-
CVE-2013-2115
-
Sare
BEEN
Loogu talagalay struts2-core
-
CVE-2014-0114
-
Sare
BEEN
Wixii la wadaaga-beanutils
-
CVE-2015-0899
-
Sare
BEEN
Ma khusayso taglib
-
CVE-2015-2992
-
Dhexdhexaad
BEEN
Waxa loola jeedaa struts2-core
-
CVE-2016-1181
-
Sare
BEEN
Ma khusayso taglib
-
CVE-2016-1182
-
Sare
BEEN
Ma khusayso taglib
struts-tiles-1.3.8
-
CVE-2012-0394
-
Dhexdhexaad
BEEN
Loogu talagalay struts2-core
-
CVE-2013-2115
-
Sare
BEEN
Loogu talagalay struts2-core
-
CVE-2014-0114
-
Sare
BEEN
Under commons-beanutils
-
CVE-2015-0899
-
Sare
BEEN
Ma khusayso tiirarka
-
CVE-2015-2992
-
Dhexdhexaad
BEEN
Loogu talagalay struts2-core
-
CVE-2016-1181
-
Sare
BEEN
Ma khusayso taglib
-
CVE-2016-1182
-
Sare
BEEN
Ma khusayso taglib
Source: www.habr.com